Published: June 13, 2026
The CISA Known Exploited Vulnerabilities (KEV) catalog is a free, authoritative list maintained by the US Cybersecurity and Infrastructure Security Agency of CVEs that have been observed in active exploitation. For medical device manufacturers, the KEV catalog is the highest-priority input into SBOM and VEX triage: a KEV-listed CVE that touches a shipped component should drive immediate triage, customer communication, and patch planning, and the FDA expects KEV-aware postmarket monitoring under Section 524B.
The KEV catalog was created in 2021 under Binding Operational Directive 22-01 to give federal agencies a focused remediation list. For medical device manufacturers, it has become the most useful single signal for prioritizing vulnerability work, because a CVE on KEV is not a theoretical risk; CISA has evidence of active exploitation in the wild. The FDA's February 3, 2026 final premarket cybersecurity guidance does not name KEV explicitly, but reviewers expect postmarket monitoring to include exploit-availability signals, and KEV is the canonical source. This post explains what KEV is, how to wire it into SBOM/VEX triage, and how it shows up in submissions and deficiency letters.
Key Takeaways
- The KEV catalog lists CVEs with confirmed active exploitation, not theoretical risk.
- Inclusion on KEV is a strong signal for immediate triage on any shipped component.
- VEX statements should explicitly address KEV-listed CVEs that touch the device SBOM.
- The FDA expects postmarket monitoring to include exploit-availability signals.
- KEV-listed CVEs that go unaddressed in a submission are a deficiency-letter pattern.
Table of Contents
- What the CISA KEV Catalog Is
- How KEV Differs From the NVD and CVSS
- How KEV Fits Into SBOM and VEX Triage
- How the FDA Treats KEV in Submissions
- Operational Workflow for KEV Monitoring
- How Blue Goat Approaches KEV in Postmarket Programs
- FAQ
Why this matters
Medical device manufacturers ship products with hundreds or thousands of third-party software components. Most published CVEs never see exploitation in the wild, and chasing every CVSS-7-or-higher CVE is impractical. The KEV catalog cuts through that noise by focusing on CVEs with confirmed active exploitation. The FDA's February 3, 2026 final premarket cybersecurity guidance ties postmarket monitoring expectations to a defensible vulnerability management process; CISA's KEV catalog, the NVD, and exploit telemetry are the standard inputs. Independent research from CISA and the Cyber Safety Review Board has consistently shown that exploited vulnerabilities cluster around a small, known set, which is exactly what the KEV catalog enumerates. Manufacturers that wire KEV into SBOM/VEX triage produce postmarket evidence that satisfies reviewers and reduces the time between a relevant CVE landing on KEV and a customer advisory going out.
What the CISA KEV Catalog Is
Origin and Scope
CISA established the KEV catalog under Binding Operational Directive 22-01 in November 2021. The catalog lists CVEs that meet three criteria: the CVE is assigned, there is reliable evidence of active exploitation in the wild, and there is clear remediation guidance (typically a vendor patch). The catalog is updated continuously and published as a free, machine-readable feed.
What It Is Not
The KEV catalog is not a vulnerability scanner output, a severity ranking, or a complete list of important CVEs. CVEs without confirmed exploitation evidence do not appear on KEV even if they have a high CVSS score. KEV inclusion is a forward-looking risk signal, not a comprehensive risk metric.
How KEV Differs From the NVD and CVSS
KEV Is a Behavior Signal, Not a Score
| Source | What it tells you | Best use |
|---|---|---|
| NVD | All published CVEs with descriptions and references | Component-level vulnerability scanning |
| CVSS | A severity score (base, temporal, environmental) | Initial severity triage |
| KEV | Active exploitation evidence and remediation guidance | Prioritization above all other signals |
| EPSS | Probability a CVE will be exploited in next 30 days | Forecast for non-KEV CVEs |
Most mature postmarket programs use all four. KEV is the top of the prioritization stack because the exploitation is no longer hypothetical.
How KEV Fits Into SBOM and VEX Triage
The Matching Step
The SBOM is the inventory: every component in the shipped device with version and purl or CPE identifiers. The matching step joins the SBOM to the KEV catalog, the NVD, and EPSS scores. Any KEV match on a shipped component is the highest-priority triage item.
The VEX Statement
The VEX (Vulnerability Exploitability eXchange) statement is the manufacturer's documented position on each relevant CVE: whether the vulnerable code path is reachable, whether a fix is available, and what mitigation is in place. [KEY REQUIREMENT] A KEV-listed CVE that touches the SBOM should have an explicit VEX statement, even if the conclusion is "not affected" because the vulnerable function is not invoked in the shipped configuration.
The Customer Communication Path
See also: CVSS 3.1 vs 4.0 for Medical Devices: Vector Strings, Scoring, and What FDA Reviewers Want, Cybersecurity Is Now a QMS Requirement: What MedTech Teams Need to Document, Control & Maintain, and SBOM vs VEX: What's the Difference? (Medical Device Guide).
KEV-listed CVEs commonly drive customer communications even when the device is not affected, because hospital security teams ask. The postmarket program should be ready to issue a brief security advisory that names the CVE, the KEV status, the affected component, and the device's position with VEX justification.
How the FDA Treats KEV in Submissions
The Premarket Expectation
The Feb 3, 2026 final premarket cybersecurity guidance does not name KEV explicitly, but the postmarket cybersecurity management plan section expects manufacturers to describe how they will monitor for emerging vulnerabilities and respond. Reviewers consistently look for KEV as a named input source in that description. A plan that lists "NVD and vendor advisories" without mentioning exploit-availability signals reads as incomplete.
The Deficiency Pattern
The most common KEV-related deficiency pattern is an SBOM submission that contains components with KEV-listed CVEs and no VEX statement addressing them. Reviewers do not necessarily require remediation before clearance, but they do require a documented position with technical justification.
Operational Workflow for KEV Monitoring
A defensible workflow for KEV monitoring looks like this:
- Subscribe to the KEV catalog feed and ingest updates daily.
- Match new KEV entries against the active SBOM index for every supported product.
- Open a triage record for every match, with severity, exploit path, and owner.
- Produce or update a VEX statement for each match within a defined SLA (often 7 days).
- Issue a customer advisory when the device is affected or when customer security teams are likely to ask.
- Track time-to-VEX and time-to-advisory as postmarket KPIs.
How Blue Goat Approaches KEV in Postmarket Programs
We build postmarket cybersecurity programs around KEV as the top-priority signal, ingest the catalog daily, and match it against the SBOM index for every supported product. VEX statements are produced or updated on a defined SLA, and customer advisories are pre-templated so the time from KEV update to customer communication stays short. Our team holds CISSP, OSCP, and prior military red-team credentials, and our postmarket work is grounded in Section 524B, the FDA's February 3, 2026 final premarket cybersecurity guidance, AAMI SW96:2023, and IEC 81001-5-1. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Start with our postmarket SBOM and VEX monitoring service or review the SBOM vulnerability management guide.
FAQ
Is the CISA KEV catalog mandatory for medical device manufacturers?
The KEV catalog is mandatory for US federal civilian executive branch agencies under Binding Operational Directive 22-01. It is not directly mandatory for medical device manufacturers, but the FDA's postmarket cybersecurity expectations make a KEV-aware monitoring program effectively required for a defensible submission.
How often is the KEV catalog updated?
CISA updates the catalog as exploitation evidence is confirmed, often multiple times per week. Postmarket programs should ingest the feed daily and triage new matches against the SBOM index within a defined SLA.
Do we need a VEX statement for every KEV-listed CVE?
You need a VEX statement for every KEV-listed CVE that touches a component in your shipped SBOM. If the CVE does not match any shipped component, no VEX is required, but the matching evidence should be recorded so the absence of a statement is itself defensible.
How does KEV interact with CVSS?
CVSS gives a severity score; KEV gives an exploitation signal. A CVE with CVSS 9.8 and no KEV listing is theoretically severe but not confirmed exploited. A CVE with CVSS 5.5 on KEV is being actively exploited and warrants immediate triage. Most mature programs prioritize KEV above any CVSS threshold.
What about EPSS?
EPSS (Exploit Prediction Scoring System) estimates the probability a CVE will be exploited in the next 30 days. It is useful for prioritizing non-KEV CVEs. The standard stack is KEV first, then high-EPSS items, then high-CVSS items, with VEX statements addressing each layer.
Ready to wire KEV into your postmarket program?
If you ship connected medical devices and need a postmarket cybersecurity program that ingests KEV daily, matches against your SBOM index, and produces defensible VEX statements on an SLA, we can help. If the FDA raises cybersecurity deficiencies after our submission, we resolve them at no additional cost. Schedule a discovery call.
Christian Espinosa, Founder, Blue Goat Cyber, CISSP, OSCP. Christian has led postmarket cybersecurity programs for connected medical devices across Class II and Class III submissions and previously commanded military red-team operations. Read more at christian-espinosa.